Re: Problem with using 2 sensors

[Kevin Ross <kevross33 () googlemail com>]

Yes. You just need to configure the database user to be snort@REMOTE SENSOR
IP. Setup mysql to bind to the IP address, point barnyard on the remote
sensor to log to the remote datababase and then allow access through
firewall.

i.e
LOCAL:
mysql configuration file: bind-address=LOCAL_IP
iptables -I INPUT 1 -s REMOTE_SENSOR -p tcp --destination-port 3306 -j
ACCEPT

mysql -u root -p
grant ALL PRIVILEGES on snort.* to snort@REMOTE_IP with GRANT option;
SET PASSWORD FOR snort@REMOTE IP=PASSWORD(‘test’);

REMOTE:
Make sure to write snort Unified 2. Snort opening a database itself rather
than just writing to unified2 slows snort down significantly as it cannot
watch the network while doing this; over network will be even slower.
Barnyard2.conf: output database: log, mssql, dbname=snort user=snort
password=test host=REMOTE SENSOR IP
restart barnyard
Also in barnyard2.conf set the localhost name to be something meaningful to
that sensor so when you look at snort say with BASE you can narrow down with
sensor and also see what sensor is actually generating alert:

i.e
Internet_Sensor
Server_Room1
Server_Room2
Remote_Site1

And so on.  Otherwise you will have difficulty telling which sensors are
actually generating the alerts. Also use emergingthreats.net signatures for
more insight into malware and current events.

http://www.emergingthreats.net/index.php?option=com_content&view=frontpage&Itemid=1
You can see rule updates for ET (Free) and ETPRO (paid) here:
http://blog.emergingthreatspro.com/

Regards, Kev



On 8 October 2011 02:19, Mike Boeckeler <boeckelr () gmail com> wrote:

> Hi everyone,
>
> I wanted to thank all of you for giving such detailed responses.  I am
> going to try to tackle this again tonite and this weekend.
>
> I posted my original message at the bottom of this in case you forgot the
> issues involved...after reading thru all of your responses I have another
> question or two:
>
> OK, so I will set up two instances of Snort, Barnyard2, 2 unique unified2
> files etc.....but what about MySQL?  Will the single MySQL database work
> with this setup?  Or will I need to create a unique database for each
> sensor....and then a unique install of BASE for each sensor?
>
> Thanks again!
> Mike
>
> BTW I don't know where I got the -E command line option from.
>
>
>
> On Tue, Sep 27, 2011 at 4:27 PM, Lay, James <james.lay () wincofoods com>wrote:
>
> > <snip>
> >
> > /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth1
> > &
> > /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth2
> > &
> >
> > /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \
> > -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \
> > -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \
> > -C /etc/snort/classification.config
> >
> > <snip>
> >
> >
> > Mike,
> > Just like folks are saying, you'll need two separate instances of both
> > snort AND barnyard2 (I thought the same thing when I first started with
> > barnyard...thought "I can run it once and it will read all my u2 files from
> > all my running snort instances"...wrong ;)).  I would copy snort.conf to
> > snort1.conf and snort2.conf, and barnyard2.conf to barnyard21.conf and
> > barnyard22.conf, then change where they log at least where the u2 files are
> > kept for snort, and change to reflect the interface in both barnyard files.
> >
> > Change in your barnyard2 conf files:
> > Barnyard21:     config interface:  eth1
> > Barnyard22:     config interface:  eth2
> >
> > And in your snort conf files:
> > Snort1.conf:    output unified2: filename /var/log/snort1/snort1.u2
> > Snort2.conf:    output unified2: filename /var/log/snort2/snort2.u2
> >
> > Then run like so:
> >
> > /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort1.conf -i
> > eth1 &
> > /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort2.conf -i
> > eth2 &
> >
> > /usr/local/bin/barnyard2 -c /etc/snort/barnyard21.conf -d
> > /var/log/snort/snort1 -f snort1.us -w /etc/snort/snort1.waldo
> > -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C
> > /etc/snort/classification.config
> >
> > /usr/local/bin/barnyard2 -c /etc/snort/barnyard22.conf -d
> > /var/log/snort/snort2 -f snort2.us -w /etc/snort/snort2.waldo
> > -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C
> > /etc/snort/classification.config
> >
> >
> > I've found separating out the .u2 files in different directories to be
> > cleaner (although I have all instances logging to a single all.fast file for
> > easy monitoring).  You can change the names to whatever...I've found naming
> > the interfaces (internal/external) and integrating it into the conf name
> > works well too (intbyard2.conf, intsnort.conf). Hope that helps.
> >
> > James
> >
> >
> > ------------------------------------------------------------------------------
> > All the data continuously generated in your IT infrastructure contains a
> > definitive record of customers, application performance, security
> > threats, fraudulent activity and more. Splunk takes this data and makes
> > sense of it. Business sense. IT sense. Common sense.
> > http://p.sf.net/sfu/splunk-d2dcopy1
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
>
> -------------------------------------------------------------------------------------------
>
> Original Message:
>
>
> On Tue, Sep 27, 2011 at 3:53 PM, Mike Boeckeler <boeckelr () gmail com>
>  wrote:
>
> > Hi everyone,
> >
> > A few days ago I posted a message about how no matter what I tried, I
> > could not get my setup running.  Needless to say my frustration level was
> > off of the charts.
> >
> > Anyway I seem to have crossed most of the hurdles and have gotten almost
> > everything working.  I am running Ubuntu 10.04, Snort 2.9.1,
> > Snortrules-snapshot-2910, BASE and Barnyard 2.
> >
> > I have 3 interfaces - eth0 goes to the Internet for updates etc.....eth1
> > is a sensor and it is located on a hub between my dsl modem and router.
> >  eth2 is also a sensor, and it is located on a SPAN port, monitoring traffic
> > inside of my ASA.
> >
> > BTW I used the Snort/Debian install guide posted on Snort.org for most of
> > this install.
> >
> > If I start up first Snort and then Barnyard2 like you see below,
> > everything runs, but BASE only reports alerts on eth2 (inside my network).
> >  Also, it only reports that there is 1 interface.
> >
> > /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth1
> > &
> > /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth2
> > &
> >
> > /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \
> > -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \
> > -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \
> > -C /etc/snort/classification.config
> >
> > Now I know that traffic is getting thru by using Wireshark and tcpdump to
> > watch eth1 and eth2 as I try to trigger alerts with nmap.
> >
> > In fact, if I forget about BASE, Barnyard and Mysql, and run snort like
> > this:  "snort -i eth1" in one terminal, and "snort -i eth2" in another
> > terminal, both get the alerts that they should.  So the problem must be in
> > Mysql, Barnyard2, etc.
> >
> > I have tried using two different snort.confs - one for the command that
> > starts the eth1 instance; and the other for the command that starts the eth2
> > instance, but to no avail.
> >
> > Does anybody have any ideas that might help?  I have emailed Joel off-list
> > and he provided some good insights on particular issues, but I still need
> > help with the aforementioned problems.
> >
> > I greatly appreciate any help that you guys can provide.
> >
> > Thanks!
> Mike
>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2dcopy2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!